Presentation is loading. Please wait.

Presentation is loading. Please wait.

MAWC – Radford University 2010 Part 2: Input validation attacks continued … Prem Uppuluri, PhD Asst. Professor Radford University, Radford, VA

Similar presentations


Presentation on theme: "MAWC – Radford University 2010 Part 2: Input validation attacks continued … Prem Uppuluri, PhD Asst. Professor Radford University, Radford, VA"— Presentation transcript:

1 MAWC – Radford University 2010 Part 2: Input validation attacks continued … Prem Uppuluri, PhD Asst. Professor Radford University, Radford, VA Notes on these slides are primarily from: slides provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13: This is a recommended textbook for the course.

2 MAWC – Radford University 2010 Input size validation is good, but not enough … Need to also validate “type” of input. Just validating the size isn’t enough!! Examples (next): SQL injection, HTTP parameter tampering, Cross Site Scripting attack.

3 MAWC – Radford University 2010 Note: The rest of this lecture is not from the textbook. Please take notes.

4 MAWC – Radford University 2010 Next: SQL injection attack. Before that: Everything we need to know for the moment about SQL Consider a University database that maintains information about every student such as: –their id, major, the specific concentrations in their major, the core courses of their concentration etc … This information can be organized into multiple tables. E.g., studentTable can contain the columns: student name, SSN, major, courses taken majorTable can contain the columns: information about the major, and different concentrations in the major. concentrations table can contain columns such as concentration name, core courses, electives credit hour requirement etc. Database Management Systems (such as Oracle) provide a language that allows users to create or update such tables and query the tables.

5 MAWC – Radford University 2010 Everything we need to know for the moment about SQL (2) SQL (Structured query language). –It is the language used to query relational databases such as Oracle. –It falls under a class of programming languages called Domain Specific Languages (DSL). –How is a DSL different from a generic high-level programming language such as Java? As the name suggests DSLs are programming languages very specific to a domain, e.g., databases (or) programming routers. Some of the things you can do with SQL –Create tables in a database. E.g., creating a student table and a concentration –Query tables (multiple tables at a time) to extract information. E.g. What are the core courses a student Xunil must take? This involves querying two tables: student table and concentration table.

6 MAWC – Radford University 2010 Some common queries in SQL Creating a table create table studentTable (studentName String, SSN long, … ) Querying a table select * from studentTable returns all the entries from SQL table Inserting insert into studentTable (studentName) values ( “ Xunil ” ) © Daswani

7 MAWC – Radford University 2010 WebServers + Databases (2) Webservers can connect to the databases using different types of technologies: –E.g., JDBC (if webserver is running Java based extensions) or through.net (in case it is based on ASP.net technology) So let us see at a high-level how the technology works. © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

8 MAWC – Radford University 2010 A common configuration of a web-server. Example of a webserver for a library. Web Server Of the Library Web Browser (Client) DB Contains List of books © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

9 MAWC – Radford University 2010 WebServers + Databases (2) Using the web-server: Step 1: User (web client) requests the catalogSearch.html file. Step 2: The user then enters the keyword to search and presses “ submit ” At this time, the following request is sent to the WebServer: GET /submit_search?keyword= ‘ computer ’ & ’ security ’ (Example shown in class using McConnell library) Web Server Of the Library Web Browser (Client) © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

10 MAWC – Radford University 2010 WebServer + Database (4) Step 3: The webserver contacts the DB for information: The code that connects to a database from the webserver then constructs an SQL query to get information from the database Assume we are using C# on ASP.net the specific C# code snapshot could be: sql_query = “ SELECT bookRecords ” + “ FROM catalogTable “ + “ WHERE bookname = “ + request.getParameter( “ BookName ” ); SQLQueryResult = SqlCommandObj.sqlcommand(sql_query); // return result to the user (web client) Web Server Of the Library DB Contains List of books © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

11 MAWC – Radford University 2010 WebServers + Databases = An Insecure Mix! Summarizing: Web Server Of the Library Web Browser (Client) DB Contains List of books Search term: Computer Security SELECT bookRecords FROM catalog WHERE bookName IS ‘Computer Security’ © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

12 MAWC – Radford University 2010 Attack! Now let us see, how to attack. Goal: An attacker would like to somehow damage the database or extract information illegally. Any ideas? String desiredBook = myWebForm.getParameter("bookName"); sql_query = "SELECT BookRecords " + "FROM Catalog " + "WHERE title = '" + desiredBook + "'"; SQLQueryResult = SqlCommandObj.sqlcommand(sql_query); // return result to the user (web client) Can we do something with the request's parameter bookName, which was taken (say) from a web form? © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

13 MAWC – Radford University 2010 Attack (2) What if the book's name were: Computer Security'; DROP TABLE Catalog -- ? Then the java program will be constructing the following string, which it will then give to the database: SELECT BookRecords FROM Catalog WHERE title = 'Computer Security' ; DROP TABLE Catalog --' In SQL, the character “ ; ” separates multiple commands. This has the effect of deleting the Catalog from the database – a DoS attack. (The “--” begins a SQL comment, so that the query's trailing quote character isn't a SQL syntax-error.) © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

14 MAWC – Radford University 2010 SQL Injection Another Example Web Server Web Browser (Client) DB Enter Username & Password SELECT passwd FROM USERS WHERE uname IS ‘$username’ Attacker will modify © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

15 MAWC – Radford University 2010 SQL Injection Example © Daswani Here is an expected working of a user login. Here an upstanding-citizen Mr. Smith has entered his username and hard to break password… Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

16 MAWC – Radford University 2010 SQL Injection Example Web Server Web Browser (Client) DB Enter Username & Password SELECT passwd FROM USERS WHERE uname IS 'smith' © Daswani The request for “smith” is processed by the webserver by creating a SQL query to the database to get Mr. Smith’s password… Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

17 MAWC – Radford University 2010 SQL Injection Example © Daswani Now, here is how an attacker could misuse this system… (turns out Mr. Smith isn’t all that upstanding). Under user name: enter an SQL query… Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

18 MAWC – Radford University 2010 SQL Injection Example Web Server Web Browser (Client) DB Enter Username & Password SELECT passwd FROM USERS WHERE uname IS ''; DROP TABLE USERS; --' © Daswani Under user name: enter an SQL query, which results in the following query. The “ ; ” is used to separate multiple SQL queries…. DROP TABLE results in the table being erased. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

19 MAWC – Radford University 2010 SQL Injection Example Result –First the SELECT Statement executes; produces no results –Then the DROP TABLE Statement executes; no user will be able to log in! © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

20 MAWC – Radford University 2010 SQL Injection attacks There are several possible attacks. –We have already seen DROP table. –Some other examples: INSERT INTO adminTable(name, passwd) VALUES ('prem', …) SELECT * FROM LibraryUsers will reveal information about all the library users (if they happened to be an actual table name). Where can we insert these malicious SQL commands: –Either in the form fields –Or in the URL itself. © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

21 MAWC – Radford University 2010 Other type of SQL injection attacks The previous attack requires knowing a table-name. But depending on how query is written, may be other vulnerabilities: -- expected use: Select * from … where username='bob' and passwd='xyz' -- an attack: Select * from … where username='bob' and passwd = 'xyz' or 1=1 --' Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

22 MAWC – Radford University 2010 Preventing input validation attacks. How to fix it? Validate the input! Filter out: –Any character that has special meanings –apostrophe, double-quote, newline, backslash; how about: semicolon? percent sign? hyphen?? Functions for escaping any SQL-specific characters available: don’t splice $userInput into your query, but rather sanitizeSQL($userInput). Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

23 MAWC – Radford University 2010 Solutions to SQL injection attack (1) Blacklisting: disallow bad chars –Scan input for single-quote char etc., and eliminate them (or, quote them). –For example: SELECT passwd FROM USERS WHERE uname = '\'; DROP TABLE USERS; -- ' The attack won’t work any more; SQL now properly interprets this as a string whose first character happens to be '. But also, remember to also check for double-quote; newline; backslash. Forgetting to blacklist or quote even a single bad character may cause problems. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

24 MAWC – Radford University 2010 Solutions (2) 2) Whitelisting: only allow safe chars (and flat-out reject other chars) The principle of fail safe defaults. In this case, only limit the possible inputs to certain characters. However, this may not always be user friendly (Peter O'Toole and Mötley Crüe can't use your site). Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

25 MAWC – Radford University 2010 Dropping tables. Cartoon © xkcd

26 MAWC – Radford University 2010 HTTP basics. To understand this attack, we need to know the HTTP protocol. HTTP protocol supports two messages: –GET allows you to download webpages –PUT allows you to upload data/webpages.

27 MAWC – Radford University 2010 HTTP basics A web site usually operates as follows: Web Server (E.g., MS IIS, Apache) User (Client) Web Browser (Client) E.g., IE, Firefox etc. STEP 2: Request gets translated into HTTP protocol by the web browser:. STEP 1: User types a request. E.g., Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

28 MAWC – Radford University 2010 HTTP basics Web Server (E.g., MS IIS, Apache) User (Client) Web Browser (Client) E.g., IE, Firefox etc. STEP 3: Webbrowswer responds to the request (with a status message and (optionally) the website). Example: status message: HTTP 200 OK + website or HTTP 404: website not found. Sample status messages: Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

29 MAWC – Radford University 2010 HTML input fields Some HTML causes the browser to generate input forms (pull-downs, checkboxes, text boxes…) Example: a sample forma sample form When user presses "submit", it's just like requesting another web page, except that the input fields are included in the http header.

30 MAWC – Radford University 2010 Forging input fields A user can 'show-source' to see the HTML the browser gets. We can save-as, edit the file, and then submit w/ bad data! Solutions? Validate the data server-side, too.

31 MAWC – Radford University 2010 Hidden parameter manipulation attack Objective: If the page uses a hidden input in their HTML page, then alter it for fun and profit. HTML (web pages) support “hidden inputs” in forms. These are fields that are not displayed by the browser but still embedded inside the web page. A web programmer might use these to solve the "http state problem": how to remember on a later page, what was entered on an earlier page. Unfortunately, “Hidden” fields in HTML are not really hidden

32 MAWC – Radford University 2010 Detailed explanation. HTML provides support for: “hidden inputs”. These are data that is embedded into an HTML form but is not displayed on the browser, but will be returned (back) to the server upon 'submit'. –It was originally designed to support the “shopping cart” functionality. E.g., –Assume you add an item into a shopping cart and 'submit'. –Assume the lazy webserver doesn't remember your item; instead it returns the shopping page, but w/ your item stored as a hidden input. –If the user later submits that (new) shopping page, it will submit the new purchase and the old, hidden input. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

33 MAWC – Radford University 2010 HTTP parameter tampering attack: Buying Pizza Example Web Server Web Browser (Client) Credit Card Payment Gateway Order 1 Pizza OK; [cost $5.50] Confirm? Yes; [cost $5.50] Clients browser controls this response Goal: trick the credit card gateway into charging a different amount. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13: Modified by Ian Barland

34 MAWC – Radford University 2010 Buy Pizza: order.html Assume the pizza restaurant has the following website. STEP 1: User enter number of pizzas, credit card no, and then clicks on “ORDER”. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

35 MAWC – Radford University 2010 Confirm Order: confirm.cgi STEP 2: The pizza restaurant’s web-server responds with the following message to confirm order. (Typo in the figure below: should  sure (Are you sure you would like to order?) STEP 3: Attacker doesn’t immediately click “yes”. Instead... Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

36 MAWC – Radford University 2010 Confirm Order: View Source STEP 4: Attacker doesn’t immediately click “yes”. Instead attacker, gets the “source” of the HTML file to see if the number $5.50 is hidden in some hidden field. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

37 MAWC – Radford University 2010 Price variable is not (really) hidden! STEP 4 (cont'd…): Notice that the value of the pizza 5.50 is being stored as a hidden input field. The server presumes that, since hidden, the client can't see it or change it. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

38 MAWC – Radford University 2010 Next… The “price” is a hidden input: that is, the server asks the client (browser) to not show it, but to still consider it as if it had been typed by the user. If the “yes” button is clicked now, the submitted form would include "pay=yes" and "price=5.50". Server would then charge the credit card $5.50 and dispatch the delivery person. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

39 MAWC – Radford University 2010 Attacker changes price! STEP 5: Attacker changes the price of the pizza. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

40 MAWC – Radford University 2010 Save, reopen, and submit! STEP 6: Saves the new html file. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

41 MAWC – Radford University 2010 Confirm Order: attack.html STEP 7: Sends the request off by clicking on “yes”.. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13:

42 MAWC – Radford University 2010 Buying Pizza Example Web Server Web Browser (Client) Credit Card Payment Gateway Submit Order $0.01 Server has blindly relayed the attacker's tampered price!!! Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani, ISBN-13: Modified by Ian Barland Order 1 Pizza OK; [cost $5.50] Confirm? Yes; [cost $0.01]

43 MAWC – Radford University 2010 HTML Injection attack In HTML, angle-brackets don't represent text; they represent the structure of the text (e.g. where paragraphs start/end, what text is a header, etc.). If a browser, when receiving a string of HTML, sees a ' < ' it knows to treat that as a tag, not as text.

44 MAWC – Radford University 2010 HTML Injection attack 2 A server might often create a page containing " Hello, $name, how are you? " where $name was taken from previous user input. What characters might be inside $name, that would confuse the browser? Try this form.this form

45 MAWC – Radford University 2010 HTML Sanitization (Recall: this is the same problem where user-input was spliced into strings that then were used as SQL queries.) If you want a browser to display a less-than symbol as text, you want to use " < " instead of " < ".

46 MAWC – Radford University 2010 HTML Sanitization 2 Solution: replace any chars that would represents HTML structure, with a string that represents HTML data: $nameAsHTMLData = sanitizeHTML($name); echo "Hello, $nameAsHTMLData, how are you? "; The function sanitizeHTML just replaces each ' < ' with " < ", etc.

47 MAWC – Radford University 2010 Next attack: Cross Site Scripting Preliminaries: –What is a JavaScript? –What is an applet? Many web clients support JavaScripts. If your client supports java scripts then a webserver can make your client (browser) run a java script. Example: How does this work? Javascripts can be internal or external (see example in the URL above). Also JavaScripts can take input from the URL. Cross-Site-Scripting takes advantage of these external javascripts with input from URL

48 MAWC – Radford University 2010 Cross Site Scripting (2) If you browse to a HTML page that takes input from URL – you are in trouble! Why? E.g., let the URL be: Let us assume this website takes the string “hello” and prints “hello”, ie.., it returns the HTML page: Hello Now an attacker if he/she is able to manage to convince you to click on: The website will return an HTML page; src=“bad_script” If the bad_script is a malicious javascript program, then we are in trouble.

49 MAWC – Radford University 2010 Tools There are some good tools that will allow you to achieve this attack without going through the preceding steps: –WebScarab This is a web proxy – that you can run on any machine. It simply intercepts all the requests from your browser as well as the responses that your browser gets. Provides controls to edit HTML fields etc. –In upcoming HW, you will be using WebScarab.

50 MAWC – Radford University 2010 Other type of Application level attacks Race conditions

51 MAWC – Radford University 2010 Race Condition attacks Attack as a result of interaction between multiple processes. Client: verify the user could write file X 1.Attacker deletes file(name) X 2.Creates symbolic link from X to privileged file (e.g. /etc/passwd ) This requires only directory-write privileges Client: Write file (as root, on behalf of the authorized user) Client: checks file attributes Attacker: changes file permissions in the window between client's checking and use

52 MAWC – Radford University 2010 Why synchronization is necessary ? Reason 2: Security Example attack: Race condition attacks –Some programs such as gcc/g++ create temporary files –They assume that the temporary file hasn’t changed from the time of creation till they time they write. –Hence, there is a small time window, which can be used by attackers (see figure below). –Called a race condition because two processes (gcc is one, the attacker’s process is the other) are racing to access the same resource. Check if user can write file X Write file X 1.Attacker deletes X 2.Creates symbolic link to privileged file Create temporary File X Delete or write file X 1.Attacker deletes X 2.Creates symbolic link to privileged file

53 MAWC – Radford University 2010 Next: Cryptography.


Download ppt "MAWC – Radford University 2010 Part 2: Input validation attacks continued … Prem Uppuluri, PhD Asst. Professor Radford University, Radford, VA"

Similar presentations


Ads by Google